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We present a coalgebraic generalisation of Fischer and Ladner’s Propositional Dynamic Logic (PDL) 
and Parikh’s Game Logic (GL). In earlier work, we proved a generic strong completeness result 
for coalgebraic dynamic logics without iteration. The coalgebraic semantics of such programs is 
given by a monad T, and modalities are interpreted via a predicate lifting A whose transpose is a 
monad morphism from T to the neighbourhood monad. In this paper, we show that if the monad 
T carries a complete semilattice structure, then we can define an iteration construct, and suitable 
notions of diamond-likeness and box-likeness of predicate-liftings which allows for the definition 
of an axiomatisation parametric in T, A and a chosen set of pointwise program operations. As our 
main result, we show that if the pointwise operations are “negation-free” and Kleisli composition 
left-distributes over the induced join on Kleisli arrows, then this axiomatisation is weakly complete 
with respect to the class of standard models. As special instances, we recover the weak completeness 
of PDL and of dual-free Game Logic. As a modest new result we obtain completeness for dual-free 
GL extended with intersection (demonic choice) of games. 

1 Introduction 

Propositional Dynamic Logic (PDL) |41 and its close cousin Game Logic (GL) lfT4l are expressive, 
yet computationally well-behaved extensions of modal logics. Crucial for the increased expressiveness 
of these logics is the *-operator (iteration) that allows to compute certain, relatively simple fixpoint 
properties such as reachability or safety. This feature comes at a price: completeness proofs for deduction 
systems of logics with fixpoint operators are notoriously difficult. The paradigmatic example for this 
phenomenon is provided by the modal /i-calculus: Walukiewicz’s completeness proof from ifT^ for 
Kozen’s axiomatisation iflOl is highly non-trivial and presently not widely understood. 

Our main contribution is a completeness proof for coalgebraic dynamic logics with iteration. We 
introduced coalgebraic dynamic logics in our previous work f7l| as a natural generalisation of PDL and 
GL with the aim to study various dynamic logics within a uniform framework that is parametric in the 
type of models under consideration, or - categorically speaking - parametric in a given monad. In Q we 
presented an initial soundness and strong completeness result for such logics. Crucially, however, this 
only covered iteration-free variants. This paper provides an important next step by extending our pre¬ 
vious work to the coalgebraic dynamic logic with iteration. As in the case of PDL, strong completeness 
fails, hence our coalgebraic dynamic logics with iteration are (only) proved weakly complete. While 
the concrete instances of our general completeness result are well-known ifTTlfldl . the abstract coalge¬ 
braic nature of our proof allows us to provide a clear analysis of the general requirements needed for 
the PDL/GL completeness proof, leading to the notions of box- and diamond-like modalities and of a 
left-quantalic monad. As a modest new completeness result we obtain completeness for dual-free GL 
extended by intersection (demonic choice) of games. 
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At this relatively early stage of development our work has to be mainly regarded as a proof-of-concept 
result: we provide evidence for the claim that completeness proofs for so-called exogenous modal logics 
can be generalised to the coalgebraic level. This opens up a number of promising directions for future 
research which we will discuss in the Conclusion. 

2 Coalgebraic Dynamic Logic 

2.1 Coalgebraic modal logic 

We assume some familiarity with the basic theory of coalgebra OH, monads and categories |[T3l . We 
start by recalling basic notions from coalgebraic modal logic, and fixing notation. For more information 
and background on coalgebraic modal logic, we refer to itT^ . 

For a set X, v/e define Prop(A) fo be fhe sef of proposifional formulas over X. Formally, Prop(A) is 
generated by fhe grammar: Prop(X) 9 cp ::= x € X | T | ->(p \ cp A(p. 

A modal signature A is a collection of modalities wifh associated arifies. In Ibis paper, we will only 
consider unary modalities. For a sef X, we denote by A(X) fhe sef of expressions A(A) = {Ox \ O G A}. 
The sef ^{A,Pq) of A-modal formulas over A and a sef Pq of afomic propositions is given by: 

,^{A,Po) 9 (p ::=p GPq I T I -.(p I (pA(p I 0<p O G A. 

Lef T: Set —> Set be a functor. A T-coalgebraic semantics of ^{A,Pq) is given by associating with 
each O G A a predicate lifting A : £2 ^ ^ oT , where 3 denotes the contravariant powerset functor. A 
T -model {X,y,V) then consists of a carrier set X, a T-coalgebra y. X ^ TX, and a valuation V: Pq ^ 
j3^{X) that defines truth sets of atomic propositions as [[p]] = V{p). The truth sets of complex formulas 
is defined inductively as usual with the modal case given by: [[0<p]] = 7^H‘^x([[<p]]))- 

A modal logic ££ = (A,Ax,Fr,Ru) consists of a modal signature A, a collection of rank-1 axioms 
Ax C Prop(A(Prop(Po))), a collection Fr C ^(A,Po) of frame conditions, and a collection of inference 
rules Ru C ^(A,Po) x ^(A,Po) which contains the congruence rule: from (p G9 y/ infer Otp ^ Oy for 
any modality O G A. 

Given a modal logic = (A, Ax,Fr,Ru), the set of J^-derivable formulas is the smallest subset 
of ^(A,Po) that contains AxUFr, all propositional tautologies, is closed under modus ponens, uni¬ 
form substitution and under applications of substitution instances of rules from Ru. For a formula 
(p G ^(A,Po) we write \-jr (p if (p is .if-derivable. Furthermore cp is ^-consistent if i/jr -<(p and a 
finite set <I> C J^{A,Po) is .if-consistent if the formula /\<I> is .if-consistent. 

Next, we recall the following one-step notions from the theory of coalgebraic logic. Let A be a set. 

• A formula (p G Prop(A(.^(A))) is one-step ^-derivable, denoted (p, if (p is propositionally 
entailed by the set {ip^T \ T : P ^ 0^{X),y & Ax}. 

• A set <I> C Prop(A(.^(A))) is called one-step ^-consistent if there are no formulas (pi,..., <p„ G <I> 
such that \-jf (pi A • • • A (p„ —)• ±. 

• Let P be a Set-functor and assume a predicate lifting is given for each O € A. For a formula 
(p G Prop(A(,!^(A))) the one-step semantics [[(p]], C TX is defined by putting [[0(t7)]]( = Xx {U) 
and by inductively extending this definition to Boolean combinations of boxed formulas. 

• For a set <I> C Prop(A(.^3^(A))) of formulas, we let [[<I>]]j = n<pe<i>[[*P]]i’ ^^7 ’^^at <I> is one- 

step satisfiable if [[<!>]] j / 0. 
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• ^ is called one-step sound if for any one-step derivable formula (p G Prop(A(i^(X))) we have 
|I<p]]i = TX, i.e., if any such formula (p is one-step valid. 

• ^ is called one-step complete if for every finite set X and every one-step consistent set <I> C 
Prop(A(^(X))) is one-step satisfiable. 

2.2 Dynamic syntax and semantics 

In earlier work we introduced the notion of a coalgebraic dynamic logic for programs built from 
Kleisli composition, pointwise operations and tests. Here we extend this notion to also include iteration 
(Kleene star). 

Throughout, we fix a counfable sef Pq of afomic proposifions, a counfable sef Aq of afomic actions, 
and a signafure £ (of poinfwise operations such as U in PDL). The sef ^{Po,Ao,L) of dynamic formulas 
and fhe sef A = A(Po,Ao,£) of complex actions are defined by mufual induction: 

.^(Po,Ao,£) 9 <p ::= p € Pq \ L \ ^tp \ (p Atp \ {a)(p 
A{Po,Ao,'L) 3 a ::= a G Aq | a;a | a(ai,...,a„) | a* | (o? 

where a G £ is n-ary. 

Dynamic formulas are inferprefed in dynamic sfrucfures which consisf of a T-coalgebraic semanfics 
wifh addifional sfrucfure. Operafion symbols a G £ will be inferprefed by poinfwise defined opera¬ 
tions on (TX)^ induced by nafural operations a: T'' ^ T. More precisely, if a: T” ^ T is a nafural 
fransformafion, fhen aj : {{TX)^Y -3 {TXY is defined by of (/i,... ,fn){x) = Ox{f\ (x),... ,fn{x)). A 
nafural fransformafion XT T (when viewing £ as a Set-funcfor) corresponds fo a collecfion of nafural 
operafions a: T'^ ^T, one for each a G £. 

In order fo define composition and fesfs of acfions/programs/games, T musf be a monad {T,p,ri) 
such fhaf action composition amounfs fo Kleisli composition for T. In order fo define iferafion of pro¬ 
grams, we need fo assume fhaf fhe monad has fhe following properfy. 

Definition 2.1 (Left-quantalic monad) A monad {T,p,r\) is called left-quantalic if for all sefs X, TX 
can be equipped wifh a sup-laffice sfructure (i.e., a complefe, idempofenf, join semilaffice). We denofe 
fhe empfy join in TX by Ltx- We also require fhaf when fhis join is tiffed poinfwise fo fhe Kleisli Hom- 
sefs ja{T){X,X), fhen Kleisli-composifion leff-disfribufes over joins: 

yf,gr.x^TX,iei: f*\/gi = \/f*g,. ^ 

i i 

If is well known fhaf Eilenberg-Moore algebras of fhe powersef monad ^ are essentially sup-laffices, 
and fhaf relafion composition leff-disfribufes over unions of relations, hence is lefl-quanfalic. We 
observe thaf one way of showing thaf T is leff-quanfalic is fo show fhaf fhere is a morphism of monads 
^ ^T. 

Lemma 2.2 Let {T,p,ri) be a monad. If there is a monad morphism t: ^ T, then {T,p,ri) is 
left-quantalic. 

Proof. A monad morphism t: ^ T induces a functor S.^{T) -3 by pre-composifion. 

If follows, in particular, thaf fhe free T-algebra is mapped fo a sup-laffice {TX,px° 'trx)- We exfend 
fhis sup-laffice sfrucfure on TA poinfwise fo a sup-laffice sfrucfure on JC£{T){X,X), fhaf is, for all 

{gi\iel}cjC£{T){x,x), 

{ygi){x) = Pxi'tTxiigiix) I f G/})). 
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Kleisli-composition distributes over this T-induced join since px and Tf preserve it, for all functions 
f-.X^Y, due to naturality of T, and these maps being T -algebra morphisms. QED 

Note that any natural transformation x: ^ yields a natural transformation I ^ ^ ^ T, where 
\ ^ picks out the empty set, such that T is pointed as defined in f7T|. 

Example 2.3 The three monads of particular interest to us were described in /[7|/; The powerset monad 
the monotone neighbourhood monad the neighbourhood monad These are all left-quantalic. 
For example, the transpose of the Kripke box G = Xx- ^X ^X defined by Xx{U) = {V C.X \ U FV} 
is a monad morphism. The join on .MX induced by Q is intersection of neighbourhood collections. 
Dually, the transpose of the Kripke diamond Ox (U) = {V fX\Ur)V is also a monad morphism 
^ M, and its induced join is unions of neighbourhood collections. 

The generalisation of iteration for PDL-programs and GL-games is iterated Kleisli composition. 
Given /: X TX, we define for all n < (o: 

flO] ^ f[n+l] =/„/[«], f*=\J fin] ( 1 ) 

n<co 


Definition 2.4 (Dynamic semantics) Let T = {T,ri,p) be a left-quantalic monad, and 6 : LT => T a 
natural Z-algebra. A (Po,Ao, 6)-dynamic T-model Tl = {X,Yo,X,V) consists of a set A, an interpretation 
of atomic actions : Aq —> (TA)^, a unary predicate lifting A : .So T whose transpose X: T ^ M 

is a monad morphism, and a valuation A: Pq —)■ S^{X). We define the truth set [[<p]]®^ of dynamic formulas 
and the semantics 7 : A ^ (PA)^ of complex actions in 9J1 by mutual induction: 

W” = v(p), I«>Art” = W"nllv/r. M” = x\W”. 
ll(a><pr = (r{a)-'oAO(W”), 

7(a(ai,...,o,)) = 

7(a;P) = r(a)*r(P) 

y(a*) = y(oc}* 

y((p?)(x) = rix(x) if X G [[<p]]®^, ±7 


-TX 


where a € £ is n-ary, 
(Kleisli composition), 
(Kleisli iteration), 
otherwise. 


We say that validates a formula (p if [[<p]]®^ = A. A coalgebra 7 : A —)■ (PA)^ is standard if it is 
generated by some 70 : Aq ^ (PA)^ and L: Pq —> S^{X) as above, and we will also refer to (A, y,X,V) 
as a 0-dynamic T-model. <1 


Recall that PDL can be axiomatised using the box or using the diamond, but the two axiomatisations 
differ. For example, the axioms for tests depend on which modality is used. In the general setting we 
need to know whether a predicate lifting corresponds to a box or a diamond. 


Definition 2.5 (Diamond-like, Box-like) Let A: .^^.SoPbea predicate lifting for a left-quantalic 
monad P. We say that 

• A is diamond-like if for all sets A, all U CX, and all {f, | / G /} C PA: 


V ti G Xx{U) iff 3/ G / : U G Xx{U). 
iei 


• A is box-like if for all sets X, all t/ C X, and all {ti | / G /} C TX: 

V ti € ^x{U) iff V/ G / : U G Xx{U). 

iei 


< 
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Remark 2.6 Note that X is diamond-like iff Xx{U) is a complete filter of the semilattice TX for all 
U C.X. One also easily verifies that X is diamond-like iff its Boolean dual is box-like. It is easy to see 
that ifX is diamond-like then it is also diamond-like according to our “old” definition in ^[7|/, similarly for 
box-like. However, it is no longer the case that every predicate lifting is either box-like or diamond-like, 
e.g., forT = ^, Xx{U) = {V CX\tD^V CU} is neither. 


Example 2.7 It can easily be verified that the Kripke diamond (box) is indeed diamond-like (box-like) 
for IX*. Taking T = and union as join on .ff(X (i.e., the join induced by O, cf. Example \2.3)) . then the 
monotonic neighbourhood modality Xx{U) = {N G .JfX \U &N} is diamond-like, but taking intersection 
as the join on .fffX then X is box-like. Similarly, X is diamond-like when viewed as a neighbourhood 
modality for jV-coalgebras with union as join. Note that this shows that diamond-likeness does not 
imply monotonicity. We only have, if X is diamond-like, then X: T ^ c/K is monotone. 


We will use the following crucial lemma about the Kleisli composition and predicate liftings. 


Lemma 2.8 Let X\ ^oT be a predicate lifting whose transpose A : T => ^ is a monad morphism. 
For all f,g :X TX, all x ^X and all U CX, we have 


Proof. We have: 


(f*g)(x) G Aa'(U) 


{f*g)(x)€Xx{U) 

iff 

(def. of A) 

iff 

(A monad morph.) 

iff 

(def. of p^) 

iff 

(def. of gK) 

iff 

(def. of Tj) 

iff 

(def. of A) 

iff 

(naturality of A) 

iff 

(def. of gP) 

iff 

iff 


f{x)eXx{g-HMu)). 

Px{Tg{f{x)))eXx{U) 

U eXx{px{Tg{f{x))) 
Uepf{NKXx(,XTx{Tg{f{x))))) 
B&>(X){U) ^^Xx (Xtx{T g{f{x)))) 
(b^(x)(XI)) ^^Tx(Tg(f(x})} 
{teTX\Ue Xx{t)} G XTx{Tg{f{x))) 
{t G rx 11 G Xx{U)} G XTs{Tg(f{x))) 
{t G rx 11 G Xx{U)} G .^g(Xx(f{x))) 
g-^(Xx{U))eXxif{x)) 
f{x)^Xx{g-\Xx{U))) 


QED 


2.3 Coalgebraic dynamic logic 

Our notion of a coalgebraic dynamic logic relates to coalgebraic modal logic in the same way that PDL 
relates to the basic modal logic K. In the remainder of the paper, we assume that: 

• T = (r,/i,T]) is a left-quantalic monad with join \J : ^f^TX —)• TX, 

• A: £2 ^ £2 oT is a diamond-like with respect to (rX,V), monotonic predicate lifting whose 
transpose A : L => is a monad morphism, 

• £ is a signature and for each n-ary a G £ there is a natural operation a: T” ^ T and a natural 
operation %: jV'' => jY such that Aoa = xoA”. We denote by 0 the collection {a | ^ G £}. 

Using the last item above, we showed in [71 section 4] how to associate to each operation symbol a G £ 
a rank-1 axiom (a(ai,...,a„))p -G)- (p(x,ai,...,an,p). Briefly stated, we use that a X- xY" ^ 
corresponds (via the Yoneda lemma) to an element x of the free Boolean algebra A'{n ■ <S(2)) gener¬ 
ated by n ■ £2(2). By assigning a rank-1 formula to each of the generators, we obtain a rank-1 formula 
(p(X,a\,...,ot,i,p) for each X- For example, the PDL axiom {aCfi)p -G)- (a)p V (j8)p is of this kind. 
Our completeness result will be restricted to positive operations. 
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Definition 2.9 (Positive natural operations) We call %: ./K” ^ jV a positive operation if x can be 
constructed using only A and V in AK(n • If a : and x ■ ^ are such that A o a = 

X o A”, then we call a positive if X is positive. The axioms for positive pointwise operations of the form 
x = s A p are obtained by extending Definition 14 from fT| with a case for conjunction: 

(p(5Ap,a„,p) = (p(5,a„,p) A (p(p,a„,p). < 

Example 2.10 Positive natural operations on include union, but complement and intersection are 
not natural on Positive natural operations on ^ include union and intersection, but not the natural 
operation dual. 

Definition 2.11 (Dynamic logic) Let jAo = ({O}, Ax,0,Ru) be a modal logic over the basic modal 
language ^{{<>},Pq). We define A = {(a) | a € A} and let Ax^ = (JaEA'^^a where Ax^ is the set of 
rank-1 axioms over the labelled modal language ^{Pq^Aq,!.) obtained by substituting (a) for O in all 
the axioms in Ax. We define Ru^ similarly as all labelled instances of rules in Ru. 

The 6-dynamic logic over .ifo is the modal logic .if = .if (6, ;,*,?) = (A, Ax',Fr',Ru') where 
Ax' = Ax^u{(a(ai,...,a„))pO(p(A,ai,...,a„,p) I aGr,a,-€A} 

Fr' = {(a;j3)p o (a)(j8)p I a,j3 gA,p gPo}U 
{{ot*)p o p V {a){a*)p I a e A}u 
{(V/?)p o (v/Ap) I tp € ,^{Po,Ao,L)} 

= Ru.uj |„6 a| 

I {a*)(p-^\f/ j 

Proposition 2.12 If A sound wrt to the T-coalgebraic semantics then the 0-dynamic logic .if is 
sound wrt to the class of all 6-dynamic T-models. In other words, for all tp € .^(Po,Ao,L) and all 
6-dynamic T-models 201= {X,Yq,X,V) we have 

|-_ 5 f (jO implies that 201 validates g). 

Proof. In fT], we showed soundness of the axioms for pointwise operations, sequential composition and 
tests with respect to 0-dynamic T-models (without iteration). Soundness of the star axiom is not difficult 
to check. Soundness of the star rule can be proven as follows: Suppose = (X, 7 , A, F) is a 0-dynamic 
T -model such that 971 validates the formula (a)t/r V (p —)• t/r. For any state x € X such that x |= {c)t*)(p we 
have — by standardness of 7 — that 7 (a)*(x) G Ax([[<p]]). This implies Vy(x) G Ax([[ip]]) and, 
by diamond-likeness of A, there is a j >0 such that 7 (a)W(x) G Ax([[<p]]). Therefore, to show that 971 
validates {oc*)(p —> yt, it suffices to show that for all 7 > 0 we have Uj C [[ip]] where 

Uj = {xGX\Yia)^Hx)€Xxm)}- 

We prove this by induction. For 7 = 0 the claim holds trivially as by assumption the premiss of the star 
rule is valid and thus [[(p]] C [[ip]]. Consider now some 7 = / -|- 1. Then we have 

17 ,+1 = {xGX\Yiaf+^\x)€Xxm)} 

= {xeX\Y{a)*m^Hx)eXxm)} 

Le^mi {^^x\Y{a){x)eXxm} 

C {xGX| 7 (a)(x)GAx(W)} 

= [[(*^) ^ [[V^E inclusion holds by validity of rule premiss) 


QED 
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3 Weak Completeness 

In this section, we will show that if the base logic is one-step complete with respect to the T- 
coalgebraic semantics given by A, and 6 consists of positive operations, then the dynamic logic = 
^(6,;,*,?) is (weakly) complete with respect to the class of all 6-dynamic T-models, i.e., every ^- 
consistent formula is satisfiable in a 6-dynamic T-model. As in the completeness proof for PDL, a 
satisfying model for a formula t/r will essentially be obtained from a filtration of the canonical model 
through a suitable closure of 

A set <I> C ^{Pq,Aq,L) of dynamic formulas is (Fischer-Ladner) closed if it is closed under subfor¬ 
mulas, closed under single negation, that is, if (p = -it/r e <I) then E <I>, and if (p E <I> is not a negation, 
then -i(p E <I>, and satisfies fhe following closure conditions: 

1. If (a;j3)(p E <I> fhen (a)(j8)(p E <I>. 

2. For all l-sfep axioms (a(ai,... , a„))p -E^ (p{x,ai,...,an,p), if {a{ai,...,a„))Y E <I> fhen also 

3. If (v^?)<p E <I> fhen y/A (p E <I>. 

4. If {a*)(p E <I> fhen {a){a*)(p and {a)(p E <I>. 

Given a dynamic formula we denote by Cl{\lf) fhe leasf sef of formulas fhaf is closed and confains 
yr. A sfandard argumenf shows fhaf Cl{\g) is finite. 

From now on we fix a finife, closed sef <I> (which may be fhoughf of as Cl{\g) for some Y)- 
AF-atom over <I> is a maximally .if-consislenl subsef of <I>, and we denofe by S fhe sef of all .if-aloms 
over <I>. For (p E ^{Po,Ao,L) we pul (p = {A E S | (p E A}. 

Nofe fhaf, in particular, for each (p ^ <I> we have (p = 0. A maximally .Af-consislenl sef (MCS) S is a 
maximally .if-consislenl subsef of J^{Po,Ao,L). Clearly, for each MCS E we have E n<I> is an .if-alom. 
Any subsef of S can be characterised by a proposilional combinafion of formulas in <I>. If will be useful 
lo have a nofafion for Ihese characferislic formulas al hand. 

Definition 3.1 (Characteristic formula) For 17 C 5, we define fhe characferistic formula of U by 

^u=\/ /\A 

Aeu 

where for any A E S, /\A is fhe conjunction of fhe elemenls of A. < 

We will use fhe following facf fhaf allows fo liff one-sfep completeness of fhe base logic lo AF. 

Lemma 3.2 If Afo is one-step complete for T then A£ is one-step complete for T^. 

The proof of fhis lemma is analogous lo fhe proof of fhe corresponding slalemenf in Q. The main 
difference being fhaf instead of arguing via MCSs one has lo use aloms. Nofe fhaf only fhe axioms for 
poinlwise operations have influence on one-sfep properties, as fhe ones for ; and * are nol rank-1. 

3.1 Strongly coherent models 

As in the finitary completeness proof of PDL ifTTI and the finite model construction in HU, we need a 
coalgebra structure on the set S of all .Af-atoms over <I> that satisfies a certain coherence condition which 
ensures that a truth lemma can be proved. 
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Definition 3.3 (Coherent structure) A coalgebra 7 : 5 —(rS)'^ is coherent if for all F € 5 and all 
(a)(pG<I>, 7 (a)(r) € A 5 ((p) iff {a)(peT. < 

Lemma 3.4 (Truth lemma) Let y: S ^ (TS)^ be a coherent structure map and define a valuation V : 
Pq ^{S)for propositional variables p & Pq by putting V(p) = p. For each F € 5 and (p we have 

(S, 7 ,F),F^(p ifif (PGF. 

The lemma follows from a standard induction argument on the structure of the formula (p - the base case 
is a immediate consequence of the definition of the valuation, the induction step for the modal operators 
follows from coherence. 

In order to prove coherence for iteration programs a*, we need the following stronger form of co¬ 
herence, which is inspired by the completeness proof of dual-free Game Logic in fl^ . 

Definition 3.5 (Strongly coherent structure) We say that 7 : 5 —> {TS)^ is strongly coherent for a £A 
if for all F G S and all U F S: 7 (a)(F) G Xs{U) iff (a)i§j/ AF is .if-consistent. <1 

In the remainder of this subsection, we prove the following existence result. 

Proposition 3.6 If Afc, is one-step complete for T, then there exists a y. S ^ {TS)^ which is strongly 
coherent for all ot &A. 

Let (—)t*: Prop(A(.^(5'))) —> Prop(A(Prop(<I>))) be the substitution map induced by taking 
for all U G t^{S). Conversely, let (—)s: Prop(A(Prop(<I>))) —> Prop(A(.^(5'))) be the substitution map 
induced by taking Ts = S and for all y S Prop(<I>), t/A = {A G S | A hp/, t/r}. 

Lemma 3.7 (Derivability) For all tp G Prop(A(Prop(<I>))), 

1. q)s implies \-^ 

2. ^ <P- 

Proof. Claim 1: For all t/r G Prop(A(^(S))), t/r implies that h ^ y^- 

It is clear that Item 1 follows from Claim 1 - let us now prove Claim 1: Suppose that i/r, ie., assume 
that Y is one-step .if-derivable. By the definition of one-step derivability, this means that the set {xo \ 
X G Ax, a : P —> propositionally entails Y- This implies that y^ is a propositional consequence 

of the set W = {x<y'^ \ X P Ax,a : P —)• IP{S)}. Any formula x<^^ € W can be written as X'^ with 
T : P ^ Prop(<I>) defined as z{p) = ^a{p) ' i^ other words, all elements of W are substitution instances 
of .if-axioms, y'^ is a propositional consequence of W and hence, as .if is closed under propositional 
reasoning and uniform substitution, we get l-_^ i/r# as required. 

It remains to prove item 2. We prove that for all Y G Prop(<I>), 

\-^Y^ ((ps)* ( 2 ) 

Item 2 then follows by applying the congruence rule and propositional logic. For (jUl, it is easy to see 
that for all (p G Prop(<I>), hpp (Ys)'^ and hence h_sf (<Ps)** —<p. For the other implication, suppose 
towards a contradiction that (p A -■(•Ps)^ is .if-consistent. Then there is a maximally .if-consistent set S 
such that (p, -'(ips)^ G S. Take A := E n <I>. We have 


for all tp^ G Prop(<I>) : APplY or A -itp 


( 3 ) 
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The proof is by induction on y/. The base case where t/r £ <I) is trivial. If t// = -it//', then by I.H. 
A \-pL yf' or A \-pi -it/r' and it follows that A \-pi -it/r or A \-pL y/. U y/ = y/i A yfi, then by I.H. we have: 

(AhpLt/Ti or ALpi^yri) and (A hpz. 1/^2 or ALpL^yr 2 ). 

Considering all four combinations yields A t/rj A t //2 or A hp/, -i(t/ri A 

From (l3]l and (p € E, we obtain that A hpp (p. On the other hand, from -■(•Ps)** £ E it follows that 
A l/pp (ips)**, and hence, because (ips)** = ViA^ I ^ ^pl tp}< we have A l/pp (p. Thus we have a 
contradiction, and we conclude that y) A -■((ps)** is .if-inconsistent which proves that (p —)• {y)s)'^- QED 

Lemma 3.8 (Existence lemma) Assume that .ifo is one-step complete for T. For all a and allF €S 

there is a tap G T (S) such that for all U FS, 

1. IfT {a)^u then tap € Xs{U). 

2. IfF |-_sf -■(«)(§[/ then tap € Xs{U). 

3. Ifr l/_ 5 f {ol)^u and {ot)^u A F is Af-consistent, then tap G 

It follows that for all a ^ A and allT £ S there is a tap G T (S) such that for all U f S, 

tap ^ ^s{U) iff r A {a)-^-consistent. (4) 

Proof. We spell out the details of the proof for the case that A is a diamond-like lifting. For the case that 
A is box-like the roles of the positive and negative formulas of the form {a)(p and -'(a)(p in the proof 
have to be switched. We now turn to the proof of the lemma. 

Suppose for a contradiction that there is a £ A and F £ S such that no f £ TS satisfies conditions 1 
and 2 of the lemma. Consider the formula 

(p(r) = V{(«)^x \XFS,r hpp -(a)^x} V I X c s,r hpp {a)^x} 

and note that 

(p(F)s = \/{{oc)X I X c s,r hpp V\/{-(«)X | X c S,r hpp {a)^x} 

Then by our assumption on a and F we have [[<p(r) 5 ]]j = {TS)^. Recall from Lemmathat one-step 
completeness of .ifo implies one-step completeness of .if wrt T^. Therefore we obtain that <p(r )5 
and thus, by Lemma iTTl that h ^ <p(r). This yields a contradiction with our assumption that F is .if- 
consistent. For each F £ S and a £ A we fix an elemenf 5a,r & TS satisfying conditions 1 and 2. 

Consider now F £ S and lef 17 C S be such fhaf F 1/^ and {a)^p AF is .if-consisfenf. As 

(a)i§c/AFis .if-consisfenf fhe sef {(a)i§j/}U {-■(«)| rhpp ^{a)^x} is .if-consisfenf and we can eas¬ 
ily show - using Lemma iTTl - fhaf fhe sef {{a)U } U {-'(a)X | F hpp -^{a)^x} is one-sfep .if-consisfenf. 
Therefore by one-sfep complefeness of .if fhere musf be an /r,c/ £ {TS)^ such fhaf 

fpu h' M{{ot)U}\J{^{a)X I rhpp-(a)§x}) 

or, equivalenfly, 

/r,j/(a)Gn({^5(^)}U{5\A5(X) |rhpp-(a)§x}). 

Using fhe facf fhaf A is diamond-like we can now easily verify fhaf for each F £ 5 and a £ A fhe join 
tap '■= Vt/es/r,[/(ct) V%,r wifh E = {17 FX\T\/^ {ot)^u and («)(§[/AF is .if-consisfenf} satisfies all 
condifions of fhe lemma. QED 

Proposition 13.61 now follows immediately from Lemma lT^ bv faking 7 (a)(r) := t^.r for all a £ Aq. 
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3.2 Standard, coherent models 

We saw in the previous subsection that one-step completeness ensures the existence of a strongly coherent 
structure. However, this structure is not necessarily standard. We now show that from a strongly coherent 
structure, we can obtain a standard model which satisfies the usual coherence condition by extending the 
strongly structure inductively from atomic actions to all actions a G A and proving that the resulting 
structure map 7 : 5 —> {TS)^ is coherent. 

We start by defining a 7 : S —> {TS)^ which is almost standard. For technical reasons, we define 7 on 
tests from <I> in terms of membership. Once we prove that truth is membership (Lemma r3.16l ). it follows 
that 7 is standard. This way we avoid a mutual induction argument. 

Definition 3.9 (Coherent dynamic structure) Let 70 : S —be the strongly coherent structure 
that exists by PropositionDefine 7 : S ^ (TS)'^ inducfively as follows: 


7(a) 

:= %(«) 

for a G Aq 


f ^75(0 

if <p G F and (p G<Y> 

7(<p?)(r) 

:= r]5(r) 

ifTGMfx.yv) and 



otherwise. 

7 (a(ai,...,a„))(r) 

:= a5(7(ai)(r),...,7(a„)(r))) 

7(«*)(r) 

:= 7(«)*(r) 



where V is the canonical valuation V(p) = {A G 5 | p G A}. <1 

The rest of the section will be dedicated to proving that 7 is in fact coherent. This can be done largely 
similarly to what we did in our previous work [61 for the iteration-free case. The main difference is ob¬ 
viously the presence of the ^-operator. Here a crucial role is played by the following monotone operator 
on ^(S) that allows us to formalise a logic-induced notion of reachability. 


Definition 3.10 (F^) For j 8 G A and X C S we define an operafor 

Y i-> {A G 5 I A A consistent} UX 

It is easy to see that this is a monotone operator, its least fixpoint will be denoted by Z|^. <1 

Lemma 3.11 For all Ag S and allX F S we have: A A is consistent ^ A G Z^. 

Proof. This is an immediate consequence of the fact that Z^ is a fixpoint of Fp . QED 

The following technical lemma is required for the inductive proof of the first coherence Lemma [3.14l 


Lemma 3.12 Let (5 G Abe an action such that for allT G S and all X F S we have 

Fa (j8)i§x consistent 7(r) G 

Then Y GZ^ implies 7(j3*)(r) G 
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Proof. This proof is using our assumption that A is diamond-like. Recall first that by definition we have 
7 (j 8 *) = 7 (j 8 )*, thus we need to show that 7 (j 3 )*(r) G Let Y = {A € 5 | 7 (j 8 )*(A) G In 

order to prove our claim it suffices fo show fhaf F^iY) C F, ie, fhaf F is a prefixed poinf of (as is 
fhe smallesf such prefixed poinf and as C F is equivalenf fo fhe claim of fhe lemma). Lef TGF^iY). 
We need fo show fhaf F G F. In case F G X we have ^^(F) = t](F) G ^si9) because t](F) G ^si9) 
is equivalenf fo F G X as A is a monad morphism. Suppose now fhaf F A is consisfenf. By our 

assumpfion on j3 fhis implies fhaf 

7 (^)(F) g XsiY) = A5({A I 7(^)*(A) g A5(X)}). 

Using Lemma [2^ fhis implies 

(7(^)*7(^)*)(F)gA5(X) 

and 

7(j8)*7(i8)*(r) = (7(i8)*Vr(^)'''')(r) = Vr(i8)''+^kr) 

i i 

where fhe lasf equably follows from fhe facl fhaf we are working wilh a monad T whose Kleisli compo- 
silion lefl-disfribufes over joins. As A is assumed fo be diamond-like, if follows fhaf fhere is a y > 1 such 
fhaf 7(j3)['^l (F) G A 5 (X) and fhus F G F as required. QED 

We are now ready fo prove Iwo crucial coherence lemmas. As we are ulfimalely only interested in fhe 
frufh of formulas in <I> we can confine ourselves fo whal we call relevant acfions: 

Definition 3.13 (Relevant test, relevant action) A test (pi is called relevant if (p G <I>. An action a G A 
is called relevant if it only contains relevant tests. o 

The following lemma proves the first half of the announced coherence. 

Lemma 3.14 For all relevant actions (X G A, T G S and all X CS we have 

FA {(x)^x consistent => 7 (o;)(F) G A 5 (X). 

Proof. By induction on a. The base case holds trivially as 7 is strongly coherent for all atomic actions. 
Let a = (pl for some (O G <I> (here we can assume (p G <I> as we only consider relevant actions) and suppose 
F A {(pl)^x is consistent for some X C S. Then, as A is diamond-like, we have F A (p A is consistent. 
This implies (p G F and F G X. As (p G F, we have by the definition of 7 that 7 ((p?)(F) = T]s(F) and thus 
F G X implies 7 ((p?)(F) G A 5 (X) as required. 

For an n-ary pointwise operation a G X, we want to show that 

fa (a(aa,...,a„))(§x consistent ^ a|( 7 (ai)(F),..., 7 (a„)(F)) G As(X) 

Using the a-axiom and that Xoo = x° A”, this is equivalent to 

FA(p(A,a„,(§x) consistent ^ X G Zs(A( 7 (ai)(r)),...,A( 7 (a„)(F))) (5) 

and (l5]l can be proved by induction on ^ in a manner very similar to the one used in the proof of Lemma 
27 in 1(61. 

Suppose a is of the form a = j8o;j3i and suppose F A {^o<Pi)^u is consistent for some U F S. 
Using the compositionality axiom we have (jSo; GX Therefore r A {po){l5i)^u is 
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consistent. This implies in turn that T A (j8o)(T A is consistent and, as l-_ 5 f T -fA VaesA^ by 

LemmaO we obtain that TA (j8o) ((VaesA'^) {l^i)^u) and thus T A (j8o) (Vae5 A('^^ (i^O^c/)) is 
consistent. Clearly the latter implies that r A (j8o) (Vaef A('^ (j 8 i)'§c/)) is consistent for F := {A G 5 | 

A A (j8i)i§c/ consistent}. Therefore we also have T A {po)^Y is consistent. Now we apply the induction 
hypothesis to get 


7 (A))(r) € A 5 (F) = AsdA € S I AA{pi)^u consistent}) C A^^A € S \ G A 5 ([/)}) 


and by Lemma |2^ we conclude that 7 (j 3 o;j 3 i)(r) = 7 (j 8 o) * 7 (j 8 i)(r) G 

Suppose now a = p*. It follows from Lemma [3.12l and the I.H. on p that L G implies 7(j3*)(r) G 
^^(X). Therefore it suffices to prove that T A (j 8 *)i§x is consistent implies T G Z^. 

Suppose that T A {P*)^x is consistent and recall the o-induction rule: 

h (j3)v/V(p^t/r 


Our claim is that 


k{P*)(p^Y 




(+) 


Before we prove [(+)] let us see why it suffices fo complefe fhe proof: If |(+)| holds, we can apply fhe 
inducfion rule in order fo obfain 

k{P*)^x^^. (6) 

By assumption we have F A {p*)^x- Togefher wifh ® fhis implies fhaf T A are consisfenf and fhus, 
by Lemma [3.111 fhaf T G Z^ as required. 

Proof of|(+)t Suppose for a confradicfion fhaf |(+)| does nof hold. This implies fhaf ({p)^^x V i§x) A 
is consisfenf. We distinguish fwo cases. 

Casel{p)^zx A ~'^z^ is consisfenf. Then fhere is a maximal consisfenf sef S such fhaf {p) ^ 
Lef A := En<I>. By definition and (|3]l we know fhaf ^^z^ fhus A G 5'\Z^. Furthermore 

A A {P)^z^ is consistent. The latter implies, again by Lemma lS.l 11 that A G Z|^ which is a contradiction 
and we conclude that {P)^z^ A -'^z^ cannot be consistent. 

Case 2 ^x A ~'^z^ is consistent. Again - using a similar argument to the previous case - this implies that 

there is an atom A GS\Z| such that A A is consistent. But the latter entails that A G X C Z^ which 
yields an obvious contradiction. QED 


Lemma 3.15 For all (a)(p and aZZ F G S we have 

yia){r) € Xs{(p) =A {a)(p€r. 

Proof. Again this is proven by induction on a. Let a = y/? and suppose 7 (i^?)(r) G ^si^) for some 
{y/'l)(p G <I>. As A is diamond-like, we have 7(yr?)(r) 7^ _L and thus, by the definition of 7 , we have 
i/r G r and T7s(r) G The latter implies F G <p, ie, (p G F. Both t// G F and (p G F imply, using the 

axiom h je (vr?)<p -G)- tp^ A (p, that (vr?)<p G F as required. 

Let a be of the form a = p* and let F G 5 be such that 7(o;)(r) G Xs{^). Then 7(a) = yiP)* ^rid 
thus we have 7(j8)*(r) G This means that yjy{p)^j^(r) G By diamond-likeness of A this 

is equivalent to the existence of one j > 0 such that 7 (j 8 )b 1 (r) G 
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In case j = 0 we can easily see that F € <p, ie, (p € F which implies - using the axiom ((j 8 )(j 8 *)(p V 
(p) o (j 8 *)(p - that (j3*)(p e F. 

Suppose now 7 = m + 1, ie, 7 (j 8 )['”+^l(F) € By Lemma l2^ this implies that 

7(^)(F)€A5({A|7(^)H(a)gA5((p)}). 

By I.H. on m we have {A | 7(j3)t'”l (A) € A((p)} C (j 8 *)(p and hence, by monotonicity of A, that 

By I.H. on j 8 this implies that (j 8 )(j 8 *)(p € F and thus - using again the same axiom as in the base case - 
that (j3*)(p € F. QED 

Lemma 3.16 (Dynamic truth lemma) The coalgebra structure 7 : S ^ (TS)^ from Def. 13.91 together 
with the valuation F : P —)■ given by V{p) = p for p € Pq forms a d-dynamic T-model such that 

for all (p we have [[<p]] = (p. 

Proof. It follows from Lemma iLldl and Lemma [3T5] that for all {cc)(p G <I> we have 

(a) (per iff 7 (a)(F)€A 5 ((p). 

Therefore it follows by Lemma [L4l that [[(p]] = (p for all (p € <I> as required. In particular this shows that 
the resulting model is 6 -dynamic, since for all relevant tests (pi we have (p G F iff F G [[(p]]. QED 

Theorem 3.17 If = ({O}, Ax,0,Ru) is one-step complete with respect to the T-coalgebraic se¬ 
mantics given by X, and 6 consists of positive operations, then the dynamic logic ^ = .if (6,; ,* , ?) is 
(weakly) complete with respect to the class of all d-dynamic T-models. 

Proof. Assume that y/ is an .if-consistent formula. Let S be the set of .if-atoms over <I> = CI{y) and 
let 7 : 5 —> (TS)"^ be defined as in Definition 13.91 and V the valuation given by V{p) = p for p G Pq. By 
Lemma [ 3 . 161 M = {S,y,X,V) is a 6 -dynamic T-model. Since y/ is .if-consistent there is an jA’-atom 
A G S that contains y and hence by the Dynamic Truth Lemma [3. 161 Y is true at A in M. QED 

As corollaries to our main theorem we obtain completeness for a number of concrete dynamic modal 
logics. 

Corollary 3.18 (i) We recover the classic result that PDL is complete with respect to U-dynamic 
models from the fact that the diamond version of the modal logic K is one-step complete with respect 
to (cf liZI/ ). U is a positive natural operation on and the Kripke diamond Ax(F) = {V G \ 
V nU td} is monotonic and its transpose is a monad morphism. (ii) Taking as base logic T£(y the 
monotonic modal logic M with semantics given by the usual monotonic neighbourhood predicate lifting 
Xx{U) = {N G I U G N} with rank-1 axiomatisation Ax = {<>{p/\q) f>p}, it is well known that 

jA<> is one-step complete for .M, see also Since U is a positive natural operation on .Jf, we get 
that dual-free GL is complete with respect to G-dynamic -models. (Hi) Similarly, dual-free GL with 
intersection is complete with respect to G,r\-dynamic -models. 










H.H. Hansen & C. Kupke 


103 


4 Conclusion 

There are several ways in which to continue our research. Firstly we will look for other, new examples 
that fit into our general coalgebraic framework. A first good candidate seems to be the filter monad 
^ (cf. in [HI Uni). It is easy to see that taking upsets yields a monad morphism z\ ^ ^ and the 
induced join on is intersection of filters. We note that filters are not closed under unions (only under 
updirected unions), so U is not a natural operation on ^. Taking .ifo to be the diamond version of 
modal logic K, and A : ^ ^ o ^ to he Xx{U) = {F ^ | \ 17 0 F} (i.e., the dual of the usual 

neigbourhood modality), then FFc, is complete with respect to the class of all ^-coalgebras, since any 
Kripke model {X,p: X ^ ^X^V) is pointwise equivalent with the ,^-model (A,Top: X — J^X,V), 
hence any tp that can be falsified in a Kripke model can also be falsified in a filter coalgebra, cf. [35 . We 
conjecture that jAo is one-step complete for ^ and A. From this, a completeness result would follow for 
a new PDL-like logic for the filter monad with intersection on actions. 

Secondly, we will study variations of our coalgebraic framework to monads that carry quantitative 
information to cover important cases such as probabilistic and weighted transition systems. We expect 
that we need to switch to a multivalued logic, using for example r(l) as truth value object, as in f3l. 
In general, we would also like to better understand how our exogenous logics relate to the endogenous 
coalgebraic logics of [[Jl and the weakest preconditions arising from state-and-effect triangles in, e.g., lH 
13. One difference is that in Ei], the monad T is assumed to be commutative. This condition ensures that 
the Kleisli category is enriched over Eilenberg-Moore algebras. This could be an interesting approach 
to obtaining a “canonical” algebra of program operations, even though, Eilenberg-Moore algebras do 
not have canonical representations in terms of operations and equations. Moreover, one of our main 
example monads, the monotonic neighbourhood monad is not commutative, but it is still amenable to 
our framework. 

Einally, our most ambitious aim will be to extend our coalgebraic framework to a completeness proof 
which will entail completeness of full GE which remains an open problem lfT5]l . One reason that this is a 
difficult problem is that, unlike PDE, full GE is able to express fixpoints of arbitrary alternation depth [Ij. 
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